--- /dev/null
+/*
+ * ringBufferThreads.cpp - SecureTransport client and server thread
+ * routines which use ringBufferIo for I/O (no sockets).
+ *
+ * Customized for EAP-FAST testing; uses SSLInternalSetMasterSecretFunction()
+ * and SSLInternalSetSessionTicket().
+ */
+
+#include "ringBufferThreads.h"
+#include <stdlib.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <strings.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <utilLib/common.h>
+#include <CommonCrypto/CommonDigest.h>
+
+#define LOG_TOP_IO 0
+#if LOG_TOP_IO
+
+static void logWrite(
+ char *who,
+ size_t written)
+{
+ pthread_mutex_lock(&printfMutex);
+ printf("+++ %s wrote %4lu bytes\n", who, (unsigned long)written);
+ pthread_mutex_unlock(&printfMutex);
+}
+
+static void logRead(
+ char *who,
+ size_t bytesRead)
+{
+ pthread_mutex_lock(&printfMutex);
+ printf("+++ %s read %4lu bytes\n", who, (unsigned long)bytesRead);
+ pthread_mutex_unlock(&printfMutex);
+}
+
+#else /* LOG_TOP_IO */
+#define logWrite(who, w)
+#define logRead(who, r)
+#endif /* LOG_TOP_IO */
+
+/*
+ * Callback from ST to calculate master secret.
+ * We do a poor person's T_PRF(), taking the hash of:
+ *
+ * serverRandom | clientRandom | sharedSecret
+ *
+ * ...to prove that both sides can come up with a master secret
+ * independently, using both sides' random values and the shared secret
+ * supplied by the app.
+ *
+ * We happen to have a digest that produces the required number
+ * of bytes (48)...
+ */
+static void sslMasterSecretFunction(
+ SSLContextRef ctx,
+ const void *arg, /* actually a RingBufferArgs */
+ void *secret, /* mallocd by caller, SSL_MASTER_SECRET_SIZE */
+ size_t *secretLength) /* in/out */
+{
+ RingBufferArgs *sslArgs = (RingBufferArgs *)arg;
+ if(*secretLength < SSL_MASTER_SECRET_SIZE) {
+ printf("**Hey! insufficient space for master secret!\n");
+ return;
+ }
+
+ unsigned char r[SSL_CLIENT_SRVR_RAND_SIZE];
+ size_t rSize = SSL_CLIENT_SRVR_RAND_SIZE;
+ CC_SHA512_CTX digestCtx;
+ CC_SHA384_Init(&digestCtx);
+ SSLInternalServerRandom(ctx, r, &rSize);
+ CC_SHA384_Update(&digestCtx, r, rSize);
+ SSLInternalClientRandom(ctx, r, &rSize);
+ CC_SHA384_Update(&digestCtx, r, rSize);
+ CC_SHA384_Update(&digestCtx, sslArgs->sharedSecret, SHARED_SECRET_SIZE);
+ CC_SHA384_Final((unsigned char *)secret, &digestCtx);
+ *secretLength = CC_SHA384_DIGEST_LENGTH;
+}
+
+/* client thread - handshake and write some data */
+void *rbClientThread(void *arg)
+{
+ RingBufferArgs *sslArgs = (RingBufferArgs *)arg;
+ OSStatus ortn;
+ SSLContextRef ctx = NULL;
+ RingBuffers ringBufs = {sslArgs->ringRead, sslArgs->ringWrite};
+ char sessionID[MAX_SESSION_ID_LENGTH];
+ size_t sessionIDLen = MAX_SESSION_ID_LENGTH;
+ unsigned toMove;
+ unsigned thisMove;
+
+ ortn = SSLNewContext(false, &ctx);
+ if(ortn) {
+ printSslErrStr("SSLNewContext", ortn);
+ goto cleanup;
+ }
+ ortn = SSLSetIOFuncs(ctx, ringReadFunc, ringWriteFunc);
+ if(ortn) {
+ printSslErrStr("SSLSetIOFuncs", ortn);
+ goto cleanup;
+ }
+ ortn = SSLSetConnection(ctx, (SSLConnectionRef)&ringBufs);
+ if(ortn) {
+ printSslErrStr("SSLSetConnection", ortn);
+ goto cleanup;
+ }
+ /* EAP is TLS only - disable the SSLv2-capable handshake */
+ ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocol2, false);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
+ goto cleanup;
+ }
+ ortn = SSLInternalSetMasterSecretFunction(ctx, sslMasterSecretFunction, sslArgs);
+ if(ortn) {
+ printSslErrStr("SSLInternalSetMasterSecretFunction", ortn);
+ goto cleanup;
+ }
+ ortn = SSLInternalSetSessionTicket(ctx, sslArgs->sessionTicket,
+ sslArgs->sessionTicketLen);
+ if(ortn) {
+ printSslErrStr("SSLInternalSetSessionTicket", ortn);
+ goto cleanup;
+ }
+ if(sslArgs->trustedRoots) {
+ ortn = SSLSetTrustedRoots(ctx, sslArgs->trustedRoots, true);
+ if(ortn) {
+ printSslErrStr("SSLSetTrustedRoots", ortn);
+ goto cleanup;
+ }
+ }
+ if(sslArgs->hostName) {
+ ortn = SSLSetPeerDomainName(ctx, sslArgs->hostName, strlen(sslArgs->hostName));
+ if(ortn) {
+ printSslErrStr("SSLSetPeerDomainName", ortn);
+ goto cleanup;
+ }
+ }
+
+ /* tell main thread we're ready; wait for sync flag */
+ sslArgs->iAmReady = true;
+ while(!(*sslArgs->goFlag)) {
+ if(*sslArgs->abortFlag) {
+ goto cleanup;
+ }
+ }
+
+ /* GO handshake */
+ sslArgs->startHandshake = CFAbsoluteTimeGetCurrent();
+ do {
+ ortn = SSLHandshake(ctx);
+ if(*sslArgs->abortFlag) {
+ goto cleanup;
+ }
+ } while (ortn == errSSLWouldBlock);
+
+ if(ortn) {
+ printSslErrStr("SSLHandshake", ortn);
+ goto cleanup;
+ }
+
+ SSLGetNegotiatedCipher(ctx, &sslArgs->negotiatedCipher);
+ SSLGetNegotiatedProtocolVersion(ctx, &sslArgs->negotiatedProt);
+
+ ortn = SSLGetResumableSessionInfo(ctx, &sslArgs->sessionWasResumed, sessionID, &sessionIDLen);
+ if(ortn) {
+ printSslErrStr("SSLGetResumableSessionInfo", ortn);
+ goto cleanup;
+ }
+
+ sslArgs->startData = CFAbsoluteTimeGetCurrent();
+
+ toMove = sslArgs->xferSize;
+
+ if(toMove == 0) {
+ sslArgs->endData = sslArgs->startData;
+ goto cleanup;
+ }
+
+ /* GO data xfer */
+ do {
+ thisMove = sslArgs->chunkSize;
+ if(thisMove > toMove) {
+ thisMove = toMove;
+ }
+ size_t moved;
+ ortn = SSLWrite(ctx, sslArgs->xferBuf, thisMove, &moved);
+ /* should never fail - implemented as blocking */
+ if(ortn) {
+ printSslErrStr("SSLWrite", ortn);
+ goto cleanup;
+ }
+ logWrite("client", moved);
+ toMove -= moved;
+ if(*sslArgs->abortFlag) {
+ goto cleanup;
+ }
+ } while(toMove);
+
+ sslArgs->endData = CFAbsoluteTimeGetCurrent();
+
+cleanup:
+ if(ortn) {
+ *sslArgs->abortFlag = true;
+ }
+ if(*sslArgs->abortFlag && sslArgs->pauseOnError) {
+ /* abort for any reason - freeze! */
+ testError(CSSM_FALSE);
+ }
+ if(ctx) {
+ SSLClose(ctx);
+ SSLDisposeContext(ctx);
+ }
+ if(ortn) {
+ printf("***Client thread returning %lu\n", (unsigned long)ortn);
+ }
+ pthread_exit((void*)ortn);
+ /* NOT REACHED */
+ return (void *)ortn;
+
+}
+
+/* server function - like clientThread except it runs from the main thread */
+/* handshake and read some data */
+OSStatus rbServerThread(RingBufferArgs *sslArgs)
+{
+ OSStatus ortn;
+ SSLContextRef ctx = NULL;
+ RingBuffers ringBufs = {sslArgs->ringRead, sslArgs->ringWrite};
+ char sessionID[MAX_SESSION_ID_LENGTH];
+ size_t sessionIDLen = MAX_SESSION_ID_LENGTH;
+ unsigned toMove;
+ unsigned thisMove;
+
+ ortn = SSLNewContext(true, &ctx);
+ if(ortn) {
+ printSslErrStr("SSLNewContext", ortn);
+ goto cleanup;
+ }
+ ortn = SSLSetIOFuncs(ctx, ringReadFunc, ringWriteFunc);
+ if(ortn) {
+ printSslErrStr("SSLSetIOFuncs", ortn);
+ goto cleanup;
+ }
+ ortn = SSLSetConnection(ctx, (SSLConnectionRef)&ringBufs);
+ if(ortn) {
+ printSslErrStr("SSLSetConnection", ortn);
+ goto cleanup;
+ }
+ if(sslArgs->setMasterSecret) {
+ ortn = SSLInternalSetMasterSecretFunction(ctx, sslMasterSecretFunction, sslArgs);
+ if(ortn) {
+ printSslErrStr("SSLInternalSetMasterSecretFunction", ortn);
+ goto cleanup;
+ }
+ }
+ if(sslArgs->idArray) {
+ ortn = SSLSetCertificate(ctx, sslArgs->idArray);
+ if(ortn) {
+ printSslErrStr("SSLSetCertificate", ortn);
+ goto cleanup;
+ }
+ }
+ if(sslArgs->trustedRoots) {
+ ortn = SSLSetTrustedRoots(ctx, sslArgs->trustedRoots, true);
+ if(ortn) {
+ printSslErrStr("SSLSetTrustedRoots", ortn);
+ goto cleanup;
+ }
+ }
+
+ /* tell client thread we're ready; wait for sync flag */
+ sslArgs->iAmReady = true;
+ while(!(*sslArgs->goFlag)) {
+ if(*sslArgs->abortFlag) {
+ goto cleanup;
+ }
+ }
+
+ /* GO handshake */
+ sslArgs->startHandshake = CFAbsoluteTimeGetCurrent();
+ do {
+ ortn = SSLHandshake(ctx);
+ if(*sslArgs->abortFlag) {
+ goto cleanup;
+ }
+ } while (ortn == errSSLWouldBlock);
+
+ if(ortn) {
+ printSslErrStr("SSLHandshake", ortn);
+ goto cleanup;
+ }
+
+ SSLGetNegotiatedCipher(ctx, &sslArgs->negotiatedCipher);
+ SSLGetNegotiatedProtocolVersion(ctx, &sslArgs->negotiatedProt);
+ ortn = SSLGetResumableSessionInfo(ctx, &sslArgs->sessionWasResumed, sessionID, &sessionIDLen);
+ if(ortn) {
+ printSslErrStr("SSLGetResumableSessionInfo", ortn);
+ goto cleanup;
+ }
+
+ sslArgs->startData = CFAbsoluteTimeGetCurrent();
+
+ toMove = sslArgs->xferSize;
+
+ if(toMove == 0) {
+ sslArgs->endData = sslArgs->startData;
+ goto cleanup;
+ }
+
+ /* GO data xfer */
+ do {
+ thisMove = sslArgs->xferSize;
+ if(thisMove > toMove) {
+ thisMove = toMove;
+ }
+ size_t moved;
+ ortn = SSLRead(ctx, sslArgs->xferBuf, thisMove, &moved);
+ switch(ortn) {
+ case noErr:
+ break;
+ case errSSLWouldBlock:
+ /* cool, try again */
+ ortn = noErr;
+ break;
+ default:
+ break;
+ }
+ if(ortn) {
+ printSslErrStr("SSLRead", ortn);
+ goto cleanup;
+ }
+ logRead("server", moved);
+ toMove -= moved;
+ if(*sslArgs->abortFlag) {
+ goto cleanup;
+ }
+ } while(toMove);
+
+ sslArgs->endData = CFAbsoluteTimeGetCurrent();
+
+cleanup:
+ if(ortn) {
+ *sslArgs->abortFlag = true;
+ }
+ if(*sslArgs->abortFlag && sslArgs->pauseOnError) {
+ /* abort for any reason - freeze! */
+ testError(CSSM_FALSE);
+ }
+ if(ctx) {
+ SSLClose(ctx);
+ SSLDisposeContext(ctx);
+ }
+ if(ortn) {
+ printf("***Server thread returning %lu\n", (unsigned long)ortn);
+ }
+ return ortn;
+}
projects / apple / security.git / blobdiff